Fighting Cyber-Enabled Fraud 2025

infrastructure operators should deploy back-end protective measures preventing users from reaching malicious sites entirely. Internet service providers and network operators should offer protective DNS as default, drawing from shared threat intelligence feeds updated in real time. Browsers and security software should implement block- listing mechanisms that prevent access to known malicious domains. Success requires coordinated action among certificate authorities, browser vendors, DNS providers and regulators. Belgium’s Safeonweb: A model for browser trust signals BOX 6 Centre for Cybersecurity Belgium developed the Safeonweb browser58 extension to help citizens assess website trustworthiness through simple visual indicators. The extension displays colour- coded signals for every website visited: green indicates that the owner has been validated, orange shows that the owner cannot be verified and red warns that the site is known to be malicious or insecure. Organizations with a Belgian Enterprise Number can register their domains for free on the Safeonweb@Work platform. The system integrates real-time threat intelligence – if a validated site is compromised, its status immediately changes to orange or red. The extension analyses the certificate validation level, the certificate authority that issued it and whether the domain is registered as malicious. With more than 50,000 users, the extension demonstrates how government-led initiatives can combine organizational verification with active threat monitoring. The programme’s success suggests that similar national or regional initiatives could scale globally with proper coordination and interoperability standards. Action 5 – Strengthen user protections against messaging and voice phishing: Telecommunications providers and messaging platforms should strengthen safeguards that alert and empower users against text and voice phishing. For verified business communications, they should establish mandatory sender verification standards across RCS implementations that use existing trust infrastructures – such as Certificate Authority Extended Validation and governmental digital identity programmes (e.g. eIDAS) – displaying prominent visual indicators including logos and verified checkmarks. As called out by Europol in its new position paper on caller ID spoofing, international coordination on interoperable technical standards is essential for cross-border effectiveness.59 Building on existing mobile network industry baseline controls for preventing unsolicited messaging traffic,60 for unknown senders, devices should display default warnings with blocking and reporting options, flagging patterns associated with phishing such as fake delivery notifications or suspicious links. Organizations should deploy AI-powered detection systems to identify emerging fraud campaigns and provide contextual risk warnings to users. Voice protection measures can be enhanced by combining caller authentication with real-time fraud scoring, helping to flag suspicious activity as it happens. These security efforts should be carefully balanced with usability, ensuring that protections remain accessible and supported by clear user education.Action 6 – Accelerate phishing-resistant authentication and harden legacy methods: Traditional multifactor authentication (MFA) has improved account security and reduced fraud and account takeover but attackers increasingly bypass it. Phishing-resistant solutions such as passkeys offer far greater protection and meet US National Institute of Standards and Technology (NIST) and European Union Agency for Cybersecurity (ENISA) high assurance standards. Yet most regulations still mandate outdated MFA technologies. Governments should design regulations driving adoption of phishing-resistant authentication, rewarding providers who implement state-of-the-art safeguards. Meanwhile, legacy methods such as SMS one-time passwords will persist, particularly in emerging markets and must be systematically hardened.61 Telecommunications providers should strengthen validation standards, secure delivery channels and enforce sender ID registries to block spoofing.62 Regulators must reinforce these with mandatory anti-spoofing controls and oversight. Achieving this in practice necessitates an evaluation of the associated costs and benefits. Until phishing- resistant methods achieve universal adoption, coordinated action by telecommunication providers, online platforms and regulators is essential to ensure that legacy mechanisms deliver the strongest possible protection. Fighting Cyber-Enabled Fraud: A Systemic Defence Approach 17